Two-factor Authentication (2FA) and PhantomBuster: What you Need to Know

Sophie
Sophie This badge shows you’re hearing straight from the source! Team members are here to share insider tips, answer questions, and guide you through PhantomBuster with expert knowledge. They’re dedicated to helping you succeed and making sure your automation journey feels easy and exciting. PhantomBuster Official
  • Updated

PhantomBuster automations (Phantoms) are not compatible with two-factor authentication (2FA). Phantoms run in the cloud using a copy of your login session and cannot enter verification codes when a platform like LinkedIn, Facebook, or Instagram triggers a 2FA check. If 2FA is enabled, the Phantom will be redirected to a login page and the launch will fail. To use PhantomBuster, you'll need to temporarily disable 2FA on the connected account or use an account that doesn't require it.

Why 2FA isn't supported in Phantom automations

Phantoms run from the cloud using a copy of your login session called a session cookie.

When 2FA is enabled on your LinkedIn, Facebook, or Instagram account, the platform often asks for a second verification step when it detects a login from a new location, like PhantomBuster's servers.

Since Phantoms can't interact with login screens or enter verification codes, they can't pass this step. That's why:

  • The Phantom is redirected to a login or checkpoint page.
  • It fails to access the intended URL or perform the task.
  • The launch stops without completing the automation.

Example of a Phantom launch failing due to a 2FA prompt, as shown in the Phantom console and activity tab:

PhantomBuster Phantom console activity tab showing 2FA authentication error on Sales Navigator Search Export

Example of full launch log output showing the 2FA checkpoint message:

PhantomBuster Phantom launch log output showing 2FA checkpoint redirect URL and failed authentication

How to confirm a 2FA redirect in your logs

If your Phantom fails and you're not sure whether 2FA is the cause, you can check your launch logs to confirm. When a Phantom hits a 2FA checkpoint, it logs the URL it was redirected to before stopping.

  1. Open your Phantom and go to the console.
  2. Open the logs from the most recent failed launch.
  3. Look for a line showing Current URL, this is the page the Phantom was redirected to.

The redirect URL tells you which authentication system is blocking the Phantom. For example, a URL containing okta.com or a company domain indicates an enterprise authentication system, meaning your organisation's IT or security team controls the 2FA settings, not the platform itself.

What to do if your account uses 2FA

For personal accounts

If you're comfortable doing so:

  • Temporarily disable 2FA while setting up your Phantom.
  • Once your session is connected, you may re-enable 2FA, but the Phantom may stop working if your session expires or becomes invalid.

For business accounts or teams

  • Check with your IT team or account administrator to see if 2FA can be disabled or bypassed for the account used in automation.
  • If that's not possible, consider using a different account that doesn't require 2FA (e.g. a team-managed account or personal profile).

If your company uses enterprise SSO

If your organisation enforces Single Sign-On (SSO) with mandatory MFA at the identity provider level (for example via Okta or Microsoft Entra ID), PhantomBuster is not able to work around this. The session cookies Phantoms rely on are not sufficient to authenticate when SSO is enforced server-side.

The only workaround is to use a dedicated account that is excluded from your company's SSO policy. If that's not possible, contact your IT team, this is a company-wide authentication decision that PhantomBuster can't override.

2FA and your PhantomBuster account

PhantomBuster does not currently support enabling 2FA for user logins to its own platform. Authentication is handled via email and password.

To keep your PhantomBuster account secure:

  • Use a strong, unique password.
  • Enable email alerts for suspicious activity (via account settings).
  • Avoid reusing credentials across platforms.

Tips to keep your session active and stable

Even without 2FA, sessions can expire or become invalid. Here's how to keep them running smoothly:

  • Use the PhantomBuster browser extension to automatically retrieve and refresh your session.
  • Avoid logging out of your platform account, this invalidates your session cookie.
  • Start slowly with your automation to avoid suspicious login activity or platform blocks.

Frequently asked questions

Does PhantomBuster work with two-factor authentication (2FA)?

No. Phantoms run from the cloud using session cookies and can't interact with login screens or enter verification codes. If a platform triggers a 2FA prompt, the Phantom will fail.

Can I re-enable 2FA after connecting my account to PhantomBuster?

You can, but the Phantom may stop working the next time your session expires or becomes invalid. When that happens, you'll need to disable 2FA again to reconnect.

Does PhantomBuster itself support 2FA for logging into my PhantomBuster account?

Not currently. PhantomBuster uses email-and-password authentication. To keep your account secure, use a strong unique password and enable email alerts for suspicious activity.

What should I do if my company requires 2FA on all LinkedIn accounts?

Check with your IT team whether 2FA can be disabled for the specific account used in automation. If not, consider using a separate team-managed account that doesn't require 2FA.

My company uses enterprise SSO (Single Sign-On) with mandatory MFA - can PhantomBuster work with this?

No. When SSO is enforced at the identity provider level (for example via Okta or Microsoft Entra ID), the session cookies Phantoms rely on are not sufficient for authentication. There is no workaround on PhantomBuster's side. The only option is to use a dedicated account that is excluded from your company's SSO policy. If that's not possible, your IT team would need to adjust the policy.

Was this article helpful?

0 out of 0 found this helpful